Automatic Firmware Updates

[wbennett]

Just curious, how many folks out there are using Automatic Firmware Updates? For those who are, have you encountered any problems? For those that aren't, why not? Thanks!

[Firewire]

I configured a cronjob to run firmware updates every day at 4 AM.
It seems that minor updates are installed but major updates are only triggered when searching manually for updates. Not sure if my cronjob is correctly set. So far no stability issues with this setting.

My cronjob:

Code Select Expand

0 4 * * * Automatic firmware update

There also seem to be more options regarding automatic firmware updates:

• Custom Firmware Update Check
• Custom Firmware Update Install
• Firmware Update Check

Not sure if multiple options need to be combined, thus multiple cronjobs are required.
Do we have a best practice how to set automatic updates per cronjob?

[DEC670airp414user]

automatic firmware?   for me absolutely not and I certainly am not checking overnight!    that is bait excessive IMO

if you click the announcements page > then click notify you will get an email when updates are released...

the only automated job I have set is for unbound to update the dnsbl's.. and that is the first day and 15th of each month

[lilsense]

With my bad experiences of OPNsense upgrades, I highly am against this, unless you are the only end user and does not care if your network is down for few hours to days to figure out why. :D

Even with all of that, OPNsesne is still better than the rest... :)

[TheAutomationGuy]

While I would never set up my router to auto update, I can also understand why someone would. 

I don't do it because there is always a chance that the update will break something and bring my whole network down.  Given that I am away from my house most of the day, this would be very annoying for everyone that is still at home.

However, the odds that a bug would bring down the network are relatively low, and if someone worked from home or was otherwise around to fix issues when they arose, having updates automatically applied would be convenient. 

[Rolfieo]

I do auto patching check and install every Friday evening for my home firewall. As if there are any issues, I will be on Saturday at home.

A firewall remote location at a client home/office is done on Saturday evening.
I'm working on there, to have second opnsense firewall inplace that will have a different patch day.
And i have an edge router, with IPSEC for fallback, if needed.

My Firewalls will be migrated to Proxmox, on what i will create backups/snapshots.

I make auto backups of the configuratie every day, just to be sure.

I think i never had some issues, als this weekend, my DHCP request on my IPTV WAN port did not work. I don't know why yet.

Most issues i had, where with major upgrades without an RCA. Minor updates, i never had any issues with.

[Greg_E]

I'll simply say that I'm not going to do this. I still haven't had the chance to update to the latest fixes, and those fixes don't apply so they will wait a bit.

If it is a security breach, then yes I will update immediately to try and prevent it from happening to me. One of those, it depends.

I do have my Windows workstation auto update, but my servers are manual update. I schedule every second Wednesday of the month to go through and start the patching of the servers. Most zero day stuff I'll hear about and start looking for a patch immediately.

[franco]

You likely won't hear much from the folks that are happy with auto-updates.

The only way to flush them out is break the auto-updates, but there are no plans to do it. ;)

I think it depends on the complexity of the setup and having a weekly update schedule and due diligence it's not even worth discussing the cons of the process.


Cheers,
Franco